In cybersecurity, attribution helps understand attacks, plan defenses

When investigators began dissecting a cyberattack that infiltrated U.S. and European power companies, they found something curious: strings of code with words in both Russian and French.

But this wasn’t some sloppy mistake by shadowy hackers — in fact, the experts concluded, the attackers probably coded in two languages on purpose.

Leaving false clues is one of the many ways hackers can conceal their identities. They also spoof IP addresses, switch toolkits and use other techniques to confuse the analysts who are trying to track their tradecraft. All that makes attribution, or the act of identifying who is behind a hack, a complex and costly affair.

But knowing who is behind a hack is useful in defending against the next wave. In late 2017, the U.S. government formally identified hackers from North Korea as the perpetrators of WannaCry, a cyberattack that locked up computers around the world and held their contents ransom. Identifying the attackers should sound an alarm for companies everywhere, said Michael Daly, Raytheon's chief technology officer for cybersecurity and special missions.

"The message for any company doing business on the internet is that North Korea sees you as a target," he said. "So do other rogue nation-states, and so do transnational crime organizations. For them, ransomware is an irresistible crime."

While identifying attackers is useful to the private sector, the act of doing the identification itself is best left to military and intelligence agencies, experts say. Commercial information-security specialists should focus their resources on protecting whatever it is the hackers might be out to get.

"All you know is, you're being attacked and will be again tomorrow," said Carl Leonard, a principal security analyst for Forcepoint, a commercial cybersecurity company jointly owned by Raytheon. "If you cannot afford to spend the resources finding out who has done it and instead can put them into fending them off or defending yourself, you’re probably better off doing that."

In other words, it’s law enforcement’s job to hold hackers responsible and a company’s job to protect itself. Cybersecurity consulting firms such as Raytheon and Forcepoint can help businesses that have been hacked determine when they can handle a hack internally, and when to contact authorities.

Many cybersecurity breaches stem from the actions of an authorized user on a network, or what’s known as “insider threat.” Knowing whether those actions were deliberate can help determine whether a hack is strictly an internal problem or a matter for law enforcement.

Part of that decision is determining intent. When an employee attacks a company on purpose, attribution would matter, and the company would likely want to contact the authorities. When an employee lets malware into the network by mistake – clicking on a malicious attachment in an otherwise normal-looking email, for example – the company might handle that with follow-up cybersecurity training.

And when an employee’s network credentials are stolen, which would allow hackers to assume that person’s identity and exploit their access to information, attribution is especially important, Leonard said.

"If you see Bob in accounting is taking upcoming quarterly financial results he could use to give to competitors or for insider stock trading, is it really him? Bob's been an excellent employee, years of great service, and there’s no indication and he’s suddenly gone rogue," Leonard said. "If it’s an insider situation, it’s vital to know whose credentials are being used. But then, do you really know if it’s that person doing it?"

While commercial companies may or may not need to know who’s behind an attack, government, military and intelligence agencies almost certainly do. Yet even when they can attribute an attack successfully, a different problem arises — whether to take action, or leave it alone and continue to collect information.

"As soon as you say you want to destroy this source, there goes the chances of getting more intelligence," said Bill Leigher, a retired U.S. Navy rear admiral who now leads Raytheon’s government cybersecurity programs. "It becomes this tension between, 'Do I protect my source and attribution, or do we destroy all the data and deny the enemy a capability?'"

For government agencies, attribution can also help state their case against hostile nations. For example, if it’s clear hackers were working on behalf of a rogue state, that can inform public opinion and foreign policy.

"To say 'We know you did it' is a relatively easy thing to do," Leigher said. "It’s just part of the body of evidence against an attacker."